Why I hate the Cookie Directive

I posted a blogpost to Facebook on Saturday entitled “Dear ICO: This is why web developers hate you“. My comment on the post read as follows:

Excellent rant explaining why the EU Privacy Directive (the “Cookie law”) may well suck (which it does — it’s a fucking stupid piece of legislation that should never have been passed) but it’s the ICO who’ve made the Internet industry’s lives hell of late. Sheer simple incompetence.

I’ve had two comments on that post thusfar, one from a friend and ex-colleague who works in the Internet industry in a similar fashion to me — he’s Director of User Experience at a software consultancy. Francois broadly agreed with me:

We are amongst the many, many agencies who spent days and lots of our clients’ money designing and implementing a user-unfriendly opt-in solution, now obsoleted by the ICO’s last-minute change of heart.

The other is from another friend of mine who is a lawyer, also working in the Internet sphere. He however disagreed with me (which isn’t terribly surprising, noone agrees with all their friends all the time, after all). He did so at some length, which I sha’n’t quote here verbatim and completely, as the comment was on a non-public Facebook post.

But Francis’s comment prompted me finally to get round to blogging about my thoughts on the EU “Cookie Directive”, why I think it’s such a terrible piece of legislation and why I believe the ICO handled the situation shamefully incompetently. Apart from anything else, I am currently standing for election to the Board of the Open Rights Group and it seems only fair to justify my opinion to the ORG members who will be considering whether or not they would like to vote for me as someone to represent them on ORG’s Board of Directors. And let me be clear here, I’m not falling out with Francis, I’m not wanting to provoke an argument and I’m not wanting to suggest that he’s foolish, naïve or anything else. I just disagree with his analysis of the situation.

There are two main things I object to around the revised Privacy Directive — the directive itself and the advice from the ICO on the subject. Unlike Francis, I agree with Oliver Emberton and his rant (linked at the top of this post).

There are several points here. One is that the Directive is stupid and, to contradict Francis, I believe the EU are most definitely not right on this. There is a very sensible tendency not to legislate about technologies themselves, but about the use those technologies are put to. If you want an imperfect analogy: we don’t ban knives, we ban stabbing people with them. Francis mentioned constant harping at a technology-neutral law, except it isn’t technology-neutral, and that’s part of the problem. Now HTTP is a stateless protocol. Being able to persist state across a user’s visit to a site is very important. Being able to generate anonymised information about how users use a site, with analytics software, is also very important. Almost all uses of cookies are completely harmless and almost all web users couldn’t give the faintest toss about cookies. A few uses are indeed A Bad Thing™ and should be regulated, with at least a requirement to allow users to provide informed consent. But most uses aren’t.

The text of the directive itself is wholly irrelevant to this discussion. How Member States will incorporate it into law and how they will enforce that domestic law is what matters — indeed all that matters. That this will vary across Europe is a problem in and of itself — plenty of the campaigns we work on in my day-job are pan-European. I have a map on the window next to me at work, with European countries coloured red (stringent controls), yellow (a bit complex), green (relatively light-touch, such as here), black (I don’t know but would expect to) or grey (they probably won’t ever care, for non-EEA territories). (I’d share this map, but some of the information is derived from a non-Free source who specifically asked that I refrain from sharing it more widely. Sorry.)

Francis mentioned that there’s nothing last minute about it. I’m sorry, but I believe he’s completely wrong there. Whilst the original directive was made a decade ago and the revision in question is a few years old (dated 18 December 2009, if you didn’t realise), most people in the web industry knew nothing about this law until 13 months or so ago, then we were told the day before the deadline that it was all ok, no-one needed to do anything quite yet and we could take our time about it.

That’d be lovely, except for two things. Everyone in the industry is already busy doing the rest of our work, sure, but the important point is that it’s really difficult to explain to clients with finite budgets that they need to give us money to do this thing they’ve never heard about and almost certainly don’t care about. On top of that, I’m a really busy guy; I’ve spent quite a lot of the last month or two making recommendations to clients, reading their legal advice, reading their technical implementation details and so on. Even our clients’ lawyers only started caring about this within the last six to eight weeks.

Even that would be fine, except that the ICO has been very reluctant to give any advice that’s actually been helpful — as Oliver Emberton put it:

Look at your own implementation of the law (pictured) for instance. You rightly state others might improve upon this, but surely it occurred to you to hire a web developer who didn’t just drop out of kindergarten to design a solution that would be seen as the template for an industry? Surely you realise your own solution reflects the hard-edged ‘explicit opt in’ nightmare most web devs fear, not the light-touch ‘implied opt in’ you ultimately allowed everyone else to use?

Then, after that, we wait to see if the ICO is going to produce more information or if the advice that we probably need to be as over-cautious as possible is going to be the final pronouncement.

And we wait…

And we wait…

And then — 12 hours before the deadline, when we’ve all already spent weeks stressing about getting changes live to ensure our clients are compliant with our interpretation of the regulations, on a sunny Friday afternoon — the ICO bothers to tell us that actually he’s probably not gonna get all that upset if we merely pretend to get something that could rationally be defined as an explicit opt-in. Information which has evidently already been shared with many big sites around the UK, but not shared more generally.

Thanks for that. To quote Oliver Emberton again:

Any web developer who actually tried to comply with the law in either case has been royally and totally screwed, for no reason other than your blithering incompetence. … We’ve been floundering in a wind of ignorance while the one body with the responsibly to clarify anything sat on their collective asses and changed their mind last minute.

The most useful thing the ICO has done, frankly, is to give tacit endorsement of the ICC UK Cookie Guide, pticly with its concept of categorising cookies by privacy impact (pages 10 and 11).

Combine the ICO’s handling of the issue with the frankly catastrophic effects their opt-in solution had, with 90% of users not opting in and simply disappearing from their analytics:
Tracked visits to ICO website prior and post explicit opt-in. Pre-opt-in maximum is around 12k visitors, post opt-in maxmimum is around 1500 visitors. Analytics are vitally important to maintaining a user-friendly site and measuring how well you are engaging with your userbase. Without basic analytics, there is no way of measuring if your site or campaign has been successful, nor is there any way of working out how to improve the parts of a site that are serving users poorly — or even which parts those are.

Part of the problem with this legislation is that compliance, for most websites of any size or complexity, is not quick and easy. Almost all websites will use cookies for something — generally session cookies and third-party analytics. Session cookies definitely fall into the category of “strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user” (§66). The ICO has advised that analytics cookies do not.

Digital agencies, such as my employers, typically have many clients, each with several sites, all of which only get much attention paid to them when the client initiates an order for work. Clients, of course, have finite budgets, which are generally earmarked in advance. Lack of clarity from the ICO, combined with clients’ understandable reluctance to pay for any work that won’t have an obvious return on investment. Small mom-and-pop style web outfits (and remember that the overwhelming majority of UK companies are SMEs) have neither the time nor the money to make such changes, even if they have the expertise; alternatives to things like Google Analytics simply aren’t within their reach.

So a year’s “grace period” turns into nine months of nothing, followed by another statement from the ICO that started the trade press and industry lawyers actively talking about it, around Christmas. In the last two months, most of our clients at work have woken up to the issue — either from their legal departments or from our bringing it to their attention. (Obviously, this has to coincide with me being really busy at work; such is Sod’s law ;o)

We’ve implemented a handful of different solutions for clients at work. Some clients have just decided to remove the third-party functionality that drops cookies (such as Facebook Social plugins). Others are using technologies such as CookieQ, which converts all cookies to temporary cookies (deleted on closing the browser) until and unless a user opts-in to longer-persisting cookies. Many companies are simply taking the attitude that it’s the responsibility of Facebook and Google to gain a user’s consent for their cookies. The industry’s canonical example of how to inform users whilst giving them some choice, is that by BT (click “Change cookie preferences” in the footer or the “Change settings” button in the overlay that’s probably appeared in the bottom right)

BT cookie preferences dialog, showing a slider to allow users to choose between 'strictly necessary & performance', 'functional' and 'targeting' cookies

Many sites, however — including the BBC, The Guardian and Channel 4 — provide the user with little choice in the matter because, frankly, being able to use the functionality provided by cookies is just too important to the site owners and very few users will care enough for it to matter. These sites all provide information to users on what cookies are and, often, how to opt out of third-party marketing / tracking cookies. This is the best most users are likely to get.

Again, I should apologise for quoting Francis as much as I am doing. I’m not wanting to argue with him specifically, it’s just that his comments provided me with several cues for the points I wanted to make here. One of his comments was what’s gone wrong here is that the technology doesn’t work properly. So fix it. Except we can’t. The technology that doesn’t work properly is web browsers, not web sites. We can’t fix that, we make websites. As I have mentioned, complying with this law is not quick and simple and the functionality provided by cookies is often not something siteowners can manage without, irrespective of the ICO’s poor advice on the matter.

As I have said several times: a terrible piece of legislation, terribly implemented, with shockingly poor quality of advice. The EU and domestic governments alike must do better. Our laws in this area should protect users’ privacy without costing too high a price for business. This law meets neither aim.

Advertisements

Ymatebwch

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s